hp-plugin downloads plugins via insecure HTTP
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HPLIP |
New
|
Undecided
|
Unassigned | ||
hplip (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
While looking what hp-plugin was doing when it was semmingly hung I noticed that it calls wget to download an executable via plain HTTP even though www.openprintin
Relevant part from ps axf:
10353 pts/4 Ss 0:00 | \_ /bin/bash
10492 pts/4 Sl+ 0:07 | | \_ /usr/bin/python3 /usr/bin/hp-plugin
10507 pts/5 Ss+ 0:00 | | \_ /usr/bin/wget --cache=off -P $HOME/.hplip http://
Looks like there are two issues here:
1. Unless a local file exists, a plugin descriptor is downloaded from http://
2. That one then contains the actual download URLs at www.openprintin
The first one has checksums so theoretically it might be ok to download the latter via HTTP (though there is no reason to do so) but the checksums are downloaded via plain HTTP as well.
summary: |
- hp-plugin downloads from openprinting.org via insecure HTTP from + hp-plugin downloads plugins via insecure HTTP |